This article originally appeared in Access Control Trends & Technology, an annual bonus publication to Security Business magazine and Security Technology Executive magazine.
To better understand the present state of the physical access control systems that are deployed in the market, HID Global conducted a survey of just over 1,000 respondents across a wide range of physical access control job roles and geographies. It follows similar surveys conducted by HID Global in 2020 and 2021 that likewise explored the demands and challenges of utilizing physical access control systems on a daily basis, whether significant upgrades are required, and what respondents desire from their solution to support operational practice.
While HID’s 2020 State of Physical Access Control Report found that 51% of respondents believed their current system either met or exceeded their requirements, just two years later, this figure has dropped to 41%. During this two-year period, a global pandemic has led to a significant change in fundamental organizational practices beyond what could have reasonably been predicted three years ago. Following are the most significant findings from the 2022 report.
Traditional Credentials and Physical Badges Remain in Use
Access control credentials have undergone an evolution in recent years. Older credentials introduced in the 1980s and 1990s are unencrypted and much easier to duplicate than modern options such as Seos® and MIFARE DESFire EV3 credentials with security features such as encryption and mutual authentication that are inherently more secure. Despite this, almost a third of respondents stated they are using 125 kHz low-frequency prox, and 35% also support magnetic stripe technology. Technology such as first-generation MIFARE Classic and iCLASS is being used by 18% and 26% of organizations, respectively.
It is also unsurprising that 60% of organizations use ID badges for access control purposes –while they do provide a ready-madetouchless solution. Time and attendance systems, where employees can check in and out of work for payroll and other administrative functions are being used by 50% of companies, and 49% are using parking/gate control.
Though newer technology, such as biometrics and mobile ID, is being used by fewer organizations, there is now significant uptake in the marketplace. According to the report, 32% of respondents said they were actively using mobile IDs, while another 30% are actively using biometrics technology – whether that be fingerprint, facial or iris recognition. An additional 17% of respondents cited they were planning to upgrade to biometric access control or were already in the process of doing so, while another 19% said the same about mobile technology.
Over half (55%) of organizations are now using logical access (secure computer/network login for access to cloud and web resources) – a figure which is likely to have risen significantly during the pandemic as security and IT teams needed to ensure employees could access the necessary systems remotely, without compromising security. Many companies had to implement significant changes to their operating procedures to accommodate remote working, to prevent data leakage and cyber security vulnerabilities. The need for physical access control measures enabling hybrid work and onsite essential employees may have also played a role.
Challenges to User Satisfaction
Improving user convenience was the challenge most cited as security professionals’ top day-to-day challenge with systems, and 43% would like to make the administration of physical access control easier.
Twenty-six percent of those surveyed selected ‘complying with new regulations in their top three challenges, while 13% chose ‘reducing physical touchpoints’. With one in four looking to ensure their access system is up to date with the latest regulations, and for just over one in 10 to select contactless technology as a top three day-to-day challenges, this may indicate that COVID-based practices are continuing to have an influence on security and facilities management professionals.
There is also a clear demand for more integrated systems, with 27% citing ‘integrating with other enterprise systems in their top three day-to-day challenges. With the move away from proprietary technology to open platforms, such as OSDP, organizations are able to reap the benefits of connected devices that relay information to each other to determine automated actions.
Upgrades are a Major Issue
If only 41% of users believe their current access control system meets or exceeds their requirements, clearly there are several obstacles that remain to an upgrade process. Despite this, 38% of all respondents plan to update their physical access control system in some way in 2022. 28% of respondents were ‘not sure’, indicating that decisions may depend on whether the reduction of COVID restrictions and reigniting of sector-specific economies continues.
In addition, over a third of professionals are planning to upgrade at least one, if not all, of their access control components within the next three years. While vendors continually work to make replacing systems easier than ever – particularly if staying with the same provider but upgrading to newer models – a full upgrade of readers, credentials, controllers, and/or software is not likely to be a decision made lightly. Regardless of the planning and specification processes involved, it takes installers and integrators time and money to conduct the work, resulting in potential inconvenience for staff and visitors.
Software is considered the easiest to upgrade, with some providers able to integrate newer versions to older hardware devices via cloud-based updates. But it is also easier than ever to upgrade separate components of physical access control systems thanks to open software technology, such as OSDP. Technology from different manufacturers can now be integrated to work together, using open protocols rather than proprietary, closed technology, meaning that users can upgrade readers or credentials without having to upgrade both at the same time.
Traditionally, the upgrade decision-making process for a system so integral to the security of a facility or organization would likely fall directly to the security department. While major upgrade projects may require sign-off from the C-suite, much of the planning, specification and procurement process would have been undertaken by the security team, collaborating with facilities or IT where appropriate.
As the industry moves away from standalone technology, however, the access control system – much like video surveillance – is doing far more than simply providing a barrier to entry to unauthorized individuals. Instead, as the technology and software available have evolved, access control is now integrating with HR, facilities, IT, HVAC and many more building systems.
The survey revealed that installers, integrators, consultants and vendors who deal directly with the end-user will have to balance multiple demands and departmental influences when implementing upgrades. Across the board, there appears to be some involvement from several departments in the purchasing of physical access control systems. Generally, and as one might expect for any major internal upgrade plan, the C-suite – including CISO, CSO, CIO and CTO – was most selected as having final authority. The physical security, IT and information security and facilities team were also said to have either final authority or make final recommendations on Physical Access Control Solutions (PACS) upgrades by the majority.
While very few responses cited that sustainability departments – or those professionals who have responsibility for an organization’s environmental footprint (not all may have entire departments) – had the final recommendation or authority over decisions, 75% of professionals did at least have ‘some influence’. 28% were even said to be ‘fully consulted’ in decisions, marking a clear effort by organizations to understand how new purchases and upgrades in access control technology can have an impact on sustainable practices.
The survey also revealed the drive for physical security and cyber/IT security departments to work closer together. As physical security systems and devices have evolved into IP-based products, many are now directly attached to the organizational network. This has brought many benefits, but also challenges and concerns over potential vulnerabilities. While vendors play a key role in ensuring systems have some level of ‘built-in’ protection – adhering to standards such as cyber essentials or ISO 27001 – IT professionals will want to ensure that anything attached to their network is compliant and there is no risk of access from hackers, via a vulnerability in an access control reader, for instance.
Proponents of the ‘convergence’ of security highlight the need for a culture shift away from siloed departments with separate funding sources and strategies to one of inclusion and collaboration. Physical security hardware can be a ‘gateway’ for cyber-physical threats, and access control systems may therefore require both the physical and cyber departments to have oversight of the tech being used.
Despite the demand for upgrading access control, there remain several obstacles in doing so – the most obvious of which is cost. Indeed, 38% of those asked selected this as their biggest obstacle to upgrading, while another 15% answered that there was a lack of compelling ROI and that it wasn’t a business priority for the budget. Whatever the obstacles to upgrading, with 38% of respondents looking to update or upgrade some form of their access control system in 2022 alone, there is clear demand and awareness of the need to do so.
There is also a clear push towards long-term convenience, as end-users, consultants and integrators become increasingly aware of the move away from proprietary models towards open, long-term standards and solutions. Forty-nine percent of those surveyed said they would require the ‘ability to add or support new tech in the future, 33% require ‘integration with existing security platforms’, while 28% argued for ‘open-standards’ based tech’.
Users are also keen to embrace innovative technology, it would appear. 43% answered ‘touchless/contactless capabilities’, which could be seen as a direct consequence of the pandemic which has led to an adjustment of health and safety best practices in the workplace and multi-occupied residential buildings. Despite many countries actively reducing such requirements, this number has only grown since HID Global’s own State of Access Control Report in 2021 (41%).
Meanwhile, 41% required the ability to utilize mobile in a new access control system. In a separate question, where we asked respondents to select the one technology that they thought would have the greatest impact on improving physical access control, one in five selected touchless (20%) or mobile access (18%).
Access Control’s Role in Monitoring Building Occupancy
The survey also revealed how the pandemic has shifted patterns of work in organizations across the world, and how this impacts access control.
For those who have transitioned to a hybrid model of both remote and in-person work, building occupancy monitoring has become more important to ensure facilities remain as efficient as possible and to allow the c-suite to make informed decisions about building usage.
Occupancy data feedback has evolved from simply knowing how many individuals are in a building or on-site for safety purposes, such as in the event of an evacuation or emergency, to Real-Time Location Systems (RTLS). According to the survey, 39% of organizations are able to measure both the number and location of employees and visitors on site, while 21% are unable to, or choose not to, monitor either. 34% of respondents cited they only know the number of employees and visitors on site, but not location. The final 6% only know the location of employees and visitors, but not the number – perhaps unsurprising given that most systems that are able to track location will be monitoring occupancy numbers simultaneously.
As many businesses looked to streamline their operations and save money during 2020 and 2021, those with occupancy data were able to assess whether they could ‘offload’ office space that was rarely utilized. For organizations that have transferred to a hybrid work model, such technology also allows for better planning, to ensure desk spaces are always available, but not stretched – particularly on days that are busier than others.
Access control systems were the most popular form of method to monitor occupancy data, with 42% using them for employees and 34% for visitors. Time and attendance systems were also cited by 24% for employees and 15% for visitors, while electronic and even paper rosters remain in use – perhaps by smaller firms or for specific purposes, such as an on-site gym or leisure facilities. SMS and cellular systems were also being used by a few organizations (2%).
The growing adoption of physical access control systems to monitor occupancy data is just one of the many unexpected outcomes of the global pandemic. With a renewed focus on hygiene and safety practices and millions of people suddenly switching to remote working, the changing requirements of access control systems for security, facilities and IT teams to navigate have been more dramatic than ever before. The crossover of convenience and security has moved ever closer, but new working practices – many of which remain despite signs of a return to ‘normality’ – have also added prominence to building efficiencies and contactless solutions. While the 2022 Physical Access Control Technology report re-surfaced many of the same themes as the 2020 study, it is in these areas that the pandemic seems to be having an enduring influence.
About the author: Luc Merredew is the Product Marketing Director for Physical Access Control at HID Global. He possesses over 20 years of identity management, security and life safety experience. He joined HID Global in August 2015 as its product marketing director, physical access control, and previously served in product management and marketing positions for IDENTIV, UTC Fire & Safety, Kidde plc. and Kidde-Fenwal.